05-29-2009 03:36 AM
We have two internal css boxes, 1 at each site which we use for redunancy should eith CSS box fail. I'm trying to fully understand the config but I'm having difficulty.
Could someone explain how this config works when a request is sent to one of the VIp addresses. Also how does the failover work if one CSS box fails.
circuit VLAN10
ip address 10.128.144.5 255.255.240.0
ip virtual-router 1 priority 101 preempt
ip virtual-router 3
ip redundant-interface 1 10.128.159.254
ip redundant-interface 3 10.128.159.253
ip redundant-vip 1 10.128.152.16
ip redundant-vip 3 10.128.144.21
CSS2
circuit VLAN10
ip address 10.128.152.5 255.255.240.0
ip virtual-router 1
ip virtual-router 3 priority 101 preempt
ip redundant-interface 1 10.128.159.254
ip redundant-interface 3 10.128.159.253
ip redundant-vip 1 10.128.152.13
ip redundant-vip 3 10.128.144.21
05-29-2009 10:22 AM
Hi Darren,
Before attempting this configuration, ensure that you meet these requirements:
ï§ Both of the CSSs you are using for this redundant configuration must be running the same version of code. Running different versions of code is not supported for redundancy.
ï§ Expect the behavior of the CSSs to be active (master)/standby (backup); only the master CSS processes flows.
ï§ You must configure a dedicated Fast Ethernet (FE) link between the CSSs for the Virtual Router Redundancy Protocol (VRRP) heartbeat.
ï§ Do not use box-to-box if you require the connection of a Layer 2 device between the redundant CSS peers. Use VIP redundancy instead.
CSSs participate in a redundant configuration when a redundancy link has been defined between two CSSs. The protocol used for this redundancy link is VRRP, using multicast address 224.0.0.18. The CSSs use this link to maintain contact and activity status with one another. Only one crossover link between the CSSs is supported. You must use a crossover cable to connect directly to the FE ports on the redundant CSSs. Do not use Layer 2 devices between the two CSSs on the redundant link. Do not install the crossover cable on Gigabit Ethernet (GE) ports; this configuration is not supported.
Note: The CSS box-to-box redundancy protocol is now supported on the CSS 11501, CSS 11503, and CSS 11506 GE ports in software version 7.10.1.02 and 7.20.0.01 and later.
There are two main conditions detected on this redundancy link that drive master and backup states on the two CSSs:
ï§ The first condition is maintaining the heartbeat, which is an advertisement every second. The master CSS provides this heartbeat on the redundancy link, and the backup CSS keeps track of the heartbeat every three seconds (default). If the heartbeat times out (for example, heartbeats are not detected in this period), then the backup takes over as master.
The new master CSS begins sending out redundancy protocol messages as well as gratuitous Address Resolution Protocol (ARP) messages to update the ARP tables on neighboring nodes and the forwarding tables of attached bridging devices (for example, Layer 2 switches) with the new master CSS MAC address. The CSS transmits one ARP request packet and one ARP reply packet for every gratuitous ARP invocation.
ï§ The second condition is that of a VRRP switch priority change. The CSS advertising the highest priority is negotiated to become master. This is the mechanism used by the uplink services, and some of the special commands (described below) for initiating a failover event.
Note that in the event that the CSSs are misconfigured (for example, two or more CSSs are set up as the IP redundancy master), the CSS with the highest VRRP IP address takes over as the master.
Issue the ip redundancy command to enable CSS-to-CSS redundancy on two CSSs interfaced with a crossover cable. By default, redundancy is disabled on the CSSs until you issue this command on both CSSs.
When you include the master option with this command, you can designate which CSS is the master CSS. Initially, booting two CSSs interfaced with a crossover cable determines which is the master and which is the backup. The CSS that boots first is the master CSS. If the CSSs boot at the same time, the CSS with the numerically higher IP address becomes the master.
When you issue the ip redundancy master command on the CSS, the CSS becomes the master CSS. You can issue this command on either the current master or backup. If you issue the master option on the backup CSS, the CSS becomes the master and the other CSS automatically becomes the backup.
If you designate a master CSS, the CSS regains master status after going down and then comes up again. For example, when the master CSS goes down, the backup CSS becomes master. When the former designated master CSS comes up again, however, the CSS becomes the master again.
Contd page 2.....
05-29-2009 10:23 AM
page 2....
If you have no requirement to designate a CSS as the master when both CSSs are up, do not include the master option when enabling redundancy on the master CSS.
You can create a service that is associated with a router's IP address. This service enables the master CSS to monitor the router with a keepalive (ICMP). If the keepalive fails, the master relinquishes control and the backup CSS takes control. You can configure more than one service by issuing the type redundancy-up command; the CSSs use all redundancy uplinks when making the failover decision.
If a CSS is active, and loses all uplinks designated as redundancy-up, the CSS relinquishes the active state and becomes the backup. The CSS uses the redundancy protocol to inform the other CSS to become active. If both CSSs have lost their uplinks, a CSS stays in the active state for 45 seconds, waiting for the uplink to come alive. After 45 seconds, if there is still no viable uplink, the CSS goes into backup mode, giving the other switch a try. This allows both CSSs to get a chance to test their uplinks without thrashing back and forth many times each minute.
Note: A CSS goes into failover when there are no longer live uplink services.
Whenever a failover event happens in general usually a G-ARP is sent after a failover to update arp/cam tables.
for an active-active stateful failover scenario where the two Content Services Switches (CSS) are in one-armed mode. The configuration in this document combines three major components:
⢠Active-active failover means that a minimum of two virtual IP addresses are used. Each CSS is the master for one VIP and the backup for the other one.
⢠Stateful failover indicates that upon failover there is no traffic interruption. The backup CSS knows from the master CSS which flows it receives in case of failover.
⢠One-armed mode failover means that the CSS is connected to a single VLAN. This scenario requires additional configuration to make sure that the server response goes through the CSS. In this configuration, client NAT (source group) is used.
Here is the URL for the configuration for the Configuring VIP and Virtual IP Interface Redundancy follow the configuration guide which may help you
Configuring Box to box redundancy:
CSS 11500 Active-Active Stateful Failover ASR in One-Armed Mode Configuration Example
Box-to-Box Redundancy on the CSS 11xxx Configuration Example - Ciscowiki
Kindly find full range of configuration examples on CSS here :
Cisco CSS 11500 Series Content Services Switches
Configuration Examples and TechNotes
http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_configuration_examples_list.html
Cisco CSS 11500 Series Content Services Switches
Kindly see URL given below for my other articles
If possible plz rate so that I can be helpful to other people also as it will enhance my credibility.
Sachinga.hcl
06-02-2009 06:12 AM
Thanks very helpful, beginning to understand it. Could you clarify one point. Am I correct in thinking that when using Active-Active VIP I must ensure that default gateway of the server uses the same CSS box as the redundant VIP?
06-02-2009 07:37 AM
Yes the CSS requires to see both side of a connection.
So, the response from the server must go through the same CSS.
This can be done by using different servers for each CSS and setting the gateway on the server to their own CSS.
Or you can use client nat with different nated ip for each CSS.
Gilles.
06-02-2009 07:53 AM
Active-active failover means that a minimum of two virtual IP addresses are used. Each CSS is the master for one VIP and the backup for the other one.
Stateful failover indicates that upon failover there is no traffic interruption. The backup CSS knows from the master CSS which flows it receives in case of failover.
Each service needs to be assigned a redundant-index.
You do this only for the content rules that need to
be replicated from the master CSS to the backup.
Then you have to create circuit VLAN and then needd to add ip virtaul-router , then assign VIP to these Virtaul routers. Then define this virtual routers vip inside content alonf with the redundant-index fo the services.
Inside service create unique redundant-index which should be same on both the CSS's.
This way you can define Active/Active.
12-09-2010 12:59 PM
LB01 | ||||
CSS Name | LB01 | |||
Circuites | ||||
VLAN1 | - Private Front-End Zone - Interfaces: GigaEthernet 0 - IP Address 10.70.2.x | |||
VLAN2 | - Public Front-End Zone - Interfaces: GigaEthernet 1 - IP Address 10.70.5.x | |||
Redundancy | ||||
VLAN1 | - Master for APP VIP VRRP Instance and Slave for COM VIP VRRP Instance - No Preempt for Master VRRP Instance - Virtual Interface for each VRRP Instance - Critical Service: upstream-downstream for both VRRP Instances | |||
VLAN2 | - Master for APP VIP VRRP Instance and Slave for COM VIP VRRP Instance - No Preempt for Master VRRP Instance - Virtual IP Address for each VRRP Instance - Critical Service: upstream-downstream for both VRRP Instances | |||
Routes | Default Route to MFW01 PubFrontEnd IP Address (10.70.5.1) | |||
Services | IP | Protocol/Port | Keepalive | Type |
upstream-downstream | MFW01 PubFrontEnd IP Address | None | Script "ap-kal-pinglist" to ping listed IPs (MFW01 and L2 Switch IP Address) | None |
BNKSec_S1 | APP1 IP Address | TCP/443 | Type: TCP | Local |
BNKSec_S2 | APP2 IP Address | TCP/443 | Type: TCP | Local |
BNKn_S1 | APP1 IP Address | TCP/808n | Type: http Method: head | Local |
BNKn_S2 | APP2 IP Address | TCP/808n | Type: http Method: head | Local |
COM1 | COM1 IP Address | TCP/7777 | Type: TCP | Local |
COM2 | COM2 IP Address | TCP/7777 | Type: TCP | Local |
Owners and Content Rules | VIP/Protocol/Port | Domain Name | Services | Stickiness |
BNKSec-HTTPS-Rule | APP VIP/TCP/443 | None | BNKSec_S1 BNKSec_S2 | None |
BNKn-HTTP-Rule | APP VIP/TCP/80 | BNKn.Domain_Name | BNKn_S1 BNKn_S2 | None |
COM-Rule | COM VIP/TCP/7777 | None | COM1 COM2 | None |
LB02 | ||||
CSS Name | LB02 | |||
Circuites | ||||
VLAN1 | - Private Front-End Zone - Interfaces: GigaEthernet 0 - IP Address regarding to IP Addressing Schema | |||
VLAN2 | - Public Front-End Zone - Interfaces: GigaEthernet 1 - IP Address regarding to IP Addressing Schema | |||
Redundancy | ||||
VLAN1 | - Master for COM VIP VRRP Instance and Slave for APP VIP VRRP Instance - Preempt for Master VRRP Instance - Virtual Interface for each VRRP Instance - Critical Service: upstream-downstream for both VRRP Instances | |||
VLAN2 | - Master for COM VIP VRRP Instance and Slave for APP VIP VRRP Instance - Preempt for Master VRRP Instance - Virtual IP Address for each VRRP Instance - Critical Service: upstream-downstream for both VRRP Instances | |||
Routes | Default Route to MFW01 PubFrontEnd IP Address | |||
Services | IP | Protocol/Port | Keepalive | Type |
upstream-downstream | MFW01 PubFrontEnd IP Address | None | Script "ap-kal-pinglist" to ping listed IPs (MFW01 and L2 Switch IP Address) | None |
BNKSec_S1 | APP1 IP Address | TCP/443 | Type: TCP | Local |
BNKSec_S2 | APP2 IP Address | TCP/443 | Type: TCP | Local |
BNKn_S1 | APP1 IP Address | TCP/808n | Type: http Method: head | Local |
BNKn_S2 | APP2 IP Address | TCP/808n | Type: http Method: head | Local |
COM1 | COM1 IP Address | TCP/7777 | Type: TCP | Local |
COM2 | COM2 IP Address | TCP/7777 | Type: TCP | Local |
Owners and Content Rules | VIP/Protocol/Port | Domain Name | Services | Stickiness |
BNKSec-HTTPS-Rule | APP VIP/TCP/443 | None | BNKSec_S1 BNKSec_S2 | None |
BNKn-HTTP-Rule | APP VIP/TCP/80 | BNKn.Domain_Name | BNKn_S1 BNKn_S2 | None |
COM-Rule | COM VIP/TCP/7777 | None | COM1 COM2 | None |
Message was edited by: tabishmirza Is this correct configuration as per above requirement ?. Please verify. CSS-1 Configuration ****************Global********************** ip redundancy ip route 0.0.0.0 0.0.0.0 10.70.5.1 *****************Interface****************** Interface Gi0 bridge 1 Interface Gi1 bridge 2 *****************Circuit******************** circuit VLAN1 ip address 10.70.2.1 255.255.255.0 ip virtual-router 1 priority 101 ip virtual-router 2 ip redundant-interface 1 10.70.2.254 default gateway ip redundant-interface 2 10.70.2.253 default gateway ip critical-service 1 upstream_downstream ip critical-service 2 upstream_downstream circuit VLAN2 ip address 10.70.5.3 255.255.255.0 ip virtual-router 3 priority 101 ip virtual-router 4 ip redundant-vip 3 10.70.5.100 ip redundant-vip 4 10.70.5.101 ip redundant-interface 3 10.70.5.254 ip redundant-interface 4 10.70.5.253 ip critical-service 3 upstream_downstream ip critical-service 4 upstream_downstream *****************Services******************** service upstream_downstream ip address 10.70.5.1 (IP address of MFW01) keepalive type script ap-kal-pinglist “10.70.5.1 ” service BNKSec_S1 protocol tcp ip address 10.70.2.20 port 443 keepalive type tcp active service BNKSec_S2 protocol tcp ip address 10.70.2.21 port 443 keepalive type tcp active service BNKn_S1 protocol tcp ip address 10.70.2.20 port 80 keepalive type tcp active service BNKn_S2 protocol tcp ip address 10.70.2.21 port 80 keepalive type tcp active service COM1 protocol tcp ip address 10.70.2.10 port 7777 keepalive type tcp active service COM2 protocol tcp ip address 10.70.2.11 port 7777 keepalive type tcp active *****************Owner*********************** Owner Sample Content BNKSec-HTTPS-Rule protocol tcp port 443 add BNKSec_S1 add BNKSec_S2 vip 10.70.5.100 active Content BNKn-HTTP-Rule protocol tcp port 80 add BNKn_S1 add BNKn_S2 vip 10.70.5.100 active Content COM-Rule protocol tcp port 7777 add COM1 add COM1 vip 10.70.5.101 active ------------------------------------------------------ CSS-2 Configuration ****************Global********************** ip redundancy ip route 0.0.0.0 0.0.0.0 10.70.5.1 *****************Interface****************** Interface Gi0 bridge 1 Interface Gi1 bridge 2 *****************Circuit******************** circuit VLAN1 ip address 10.70.2.2 255.255.255.0 ip virtual-router 1 ip virtual-router 2 priority 101 ip redundant-interface 1 10.70.2.254 ip redundant-interface 2 10.70.2.253 ip critical-service 1 upstream_downstream ip critical-service 2 upstream_downstream circuit VLAN2 ip address 10.70.5.4 255.255.255.0 ip virtual-router 3 ip virtual-router 4 priority 101 ip redundant-vip 3 10.70.5.100 ip redundant-vip 4 10.70.5.101 ip redundant-interface 3 10.70.5.254 ip redundant-interface 4 10.70.5.253 ip critical-service 3 upstream_downstream ip critical-service 4 upstream_downstream *****************Services******************** service upstream_downstream ip address 10.70.5.1 (IP address of MFW01) keepalive type script ap-kal-pinglist “10.70.5.1 ” service BNKSec_S1 protocol tcp ip address 10.70.2.20 port 443 keepalive type tcp active service BNKSec_S2 protocol tcp ip address 10.70.2.21 port 443 keepalive type tcp active service BNKn_S1 protocol tcp ip address 10.70.2.20 port 80 keepalive type tcp active service BNKn_S2 protocol tcp ip address 10.70.2.21 port 80 keepalive type tcp active service COM1 protocol tcp ip address 10.70.2.10 port 7777 keepalive type tcp active service COM2 protocol tcp ip address 10.70.2.11 port 7777 keepalive type tcp active *****************Owner*********************** Owner Sample Content BNKSec-HTTPS-Rule protocol tcp port 443 add BNKSec_S1 add BNKSec_S2 vip 10.70.5.100 active Content BNKn-HTTP-Rule protocol tcp port 80 add BNKn_S1 add BNKn_S2 vip 10.70.5.100 active Content COM-Rule protocol tcp port 7777 add COM1 add COM1 vip 10.70.5.101 active
12-09-2010 02:44 PM
Is this correct configuration as per above requirement ? Please verify. Will be appreciated your kind help. Thanks
CSS-1 Configuration
****************Global**********************
ip redundancy
ip route 0.0.0.0 0.0.0.0 10.70.5.1
*****************Interface******************
Interface Gi0
bridge 1
Interface Gi1
bridge 2
*****************Circuit********************
circuit VLAN1
ip address 10.70.2.1 255.255.255.0
ip virtual-router 1 priority 101
ip virtual-router 2
ip redundant-interface 1 10.70.2.254 default gateway
ip redundant-interface 2 10.70.2.253 default gateway
ip critical-service 1 upstream_downstream
ip critical-service 2 upstream_downstream
circuit VLAN2
ip address 10.70.5.3 255.255.255.0
ip virtual-router 3 priority 101
ip virtual-router 4
ip redundant-vip 3 10.70.5.100
ip redundant-vip 4 10.70.5.101
ip redundant-interface 3 10.70.5.254
ip redundant-interface 4 10.70.5.253
ip critical-service 3 upstream_downstream
ip critical-service 4 upstream_downstream
*****************Services********************
service upstream_downstream
ip address 10.70.5.1 (IP address of MFW01)
keepalive type script ap-kal-pinglist “10.70.5.1 ”
service BNKSec_S1
protocol tcp
ip address 10.70.2.20
port 443
keepalive type tcp
active
service BNKSec_S2
protocol tcp
ip address 10.70.2.21
port 443
keepalive type tcp
active
service BNKn_S1
protocol tcp
ip address 10.70.2.20
port 80
keepalive type tcp
active
service BNKn_S2
protocol tcp
ip address 10.70.2.21
port 80
keepalive type tcp
active
service COM1
protocol tcp
ip address 10.70.2.10
port 7777
keepalive type tcp
active
service COM2
protocol tcp
ip address 10.70.2.11
port 7777
keepalive type tcp
active
*****************Owner***********************
Owner Sample
Content BNKSec-HTTPS-Rule
protocol tcp
port 443
add BNKSec_S1
add BNKSec_S2
vip 10.70.5.100
active
Content BNKn-HTTP-Rule
protocol tcp
port 80
add BNKn_S1
add BNKn_S2
vip 10.70.5.100
active
Content COM-Rule
protocol tcp
port 7777
add COM1
add COM1
vip 10.70.5.101
active
------------------------------------------------------
CSS-2 Configuration
****************Global**********************
ip redundancy
ip route 0.0.0.0 0.0.0.0 10.70.5.1
*****************Interface******************
Interface Gi0
bridge 1
Interface Gi1
bridge 2
*****************Circuit********************
circuit VLAN1
ip address 10.70.2.2 255.255.255.0
ip virtual-router 1
ip virtual-router 2 priority 101
ip redundant-interface 1 10.70.2.254
ip redundant-interface 2 10.70.2.253
ip critical-service 1 upstream_downstream
ip critical-service 2 upstream_downstream
circuit VLAN2
ip address 10.70.5.4 255.255.255.0
ip virtual-router 3
ip virtual-router 4 priority 101
ip redundant-vip 3 10.70.5.100
ip redundant-vip 4 10.70.5.101
ip redundant-interface 3 10.70.5.254
ip redundant-interface 4 10.70.5.253
ip critical-service 3 upstream_downstream
ip critical-service 4 upstream_downstream
*****************Services********************
service upstream_downstream
ip address 10.70.5.1 (IP address of MFW01)
keepalive type script ap-kal-pinglist “10.70.5.1 ”
service BNKSec_S1
protocol tcp
ip address 10.70.2.20
port 443
keepalive type tcp
active
service BNKSec_S2
protocol tcp
ip address 10.70.2.21
port 443
keepalive type tcp
active
service BNKn_S1
protocol tcp
ip address 10.70.2.20
port 80
keepalive type tcp
active
service BNKn_S2
protocol tcp
ip address 10.70.2.21
port 80
keepalive type tcp
active
service COM1
protocol tcp
ip address 10.70.2.10
port 7777
keepalive type tcp
active
service COM2
protocol tcp
ip address 10.70.2.11
port 7777
keepalive type tcp
active
*****************Owner***********************
Owner Sample
Content BNKSec-HTTPS-Rule
protocol tcp
port 443
add BNKSec_S1
add BNKSec_S2
vip 10.70.5.100
active
Content BNKn-HTTP-Rule
protocol tcp
port 80
add BNKn_S1
add BNKn_S2
vip 10.70.5.100
active
Content COM-Rule
protocol tcp
port 7777
add COM1
add COM1
vip 10.70.5.101
active
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide